Digital Skimming: The Growing Threat to Businesses in the Digital Era

The movement of money from physical to digital has revolutionized how we bank and shop. However, this shift has also attracted criminals, replacing traditional heists with sophisticated digital thefts. Data is as valuable as money in today’s economy, making nearly every business a potential target for digital skimming attacks.

From customer lists and payroll information to sensitive card details (card numbers, expiry dates, and CVV codes), businesses store immense amounts of highly desirable data for cyber criminals. It’s no surprise then that card fraud is a $48 billion problem annually, with projections to double to $100 billion by 2027.

With cybercrime showing no signs of slowing down and new PCI DSS requirements for payment pages coming into effect on April 1, 2025, businesses must act now to protect themselves. In this post, we’ll explore digital skimming, its impacts, how it works, and, most importantly, how businesses can defend against this growing threat.

What Is Digital Skimming?

Digital skimming, also known as e-skimming, formjacking, or data skimming, is a type of cyberattack where criminals steal sensitive information entered into web forms. This often includes payment data from online checkout pages or personally identifiable information (PII) entered into other online forms.

These attacks typically exploit vulnerabilities in a website’s infrastructure, allowing malicious actors to inject JavaScript-based skimmers into payment pages, also called Magecart attacks. What makes these attacks so dangerous is their stealth: the payment process appears unaffected, leaving both the customer and the merchant unaware of the compromise.

The Scale of the Problem

Digital skimming is a major and growing problem with devastating consequences for both businesses and consumers. Recent high-profile breaches underscore just how widespread and damaging these attacks can be:

• In July 2024, AT&T admitted that criminals had accessed nearly all call and text data of its 110 million customers over a six-month period.
• A cyberattack on UK pathology lab Synnovis in June 2024 resulted in data theft from 300 million patient interactions, disrupting healthcare services for weeks.
• A breach at Ticketmaster exposed the personal data of 560 million customers, which attackers threatened to publish on the dark web.

These examples highlight the severity of digital skimming and its far-reaching consequences.

The Business Impact of Digital Skimming

The cost of a digital skimming attack goes far beyond the immediate data theft. Businesses face direct financial losses, incident response costs, regulatory fines, and breach notification expenses. For example:

• Kaiser Permanente, a U.S. health insurance provider, revealed that tracking technologies on its website had exposed the private health data of 13.4 million patients.
• Similarly, the U.S. Postal Service faced backlash after tracking pixels on its site potentially compromised the data of 62 million users.

Beyond financial losses, the indirect costs to a business are even more significant. A data breach can damage a brand’s reputation, erode customer trust, and result in long-term loss of business. For instance, Australian prescriptions provider MediSecure declared insolvency just weeks after disclosing a ransomware attack that exposed the data of 13 million people.

How Digital Skimming Works

Digital skimming attacks typically follow a four-step process:

1. Initial Breach: Attackers access a website’s source code or infrastructure directly or through a third-party provider. This is often achieved through software vulnerabilities, malware, or stolen credentials.
2. Code Injection: Malicious JavaScript code is injected into payment pages. Attackers tailor their methods depending on whether payment forms are embedded directly on the page or through an iFrame.
3. Data Exfiltration: When customers input payment or personal data, the malicious code covertly collects and encrypts the information before sending it to the attacker’s server.
4. Monetization: Stolen data is used for fraudulent purchases or sold on the dark web, which can be used for creating fake identities, issuing fake cards, or other criminal activities.

Who Is at Risk?

The short answer: every business.

Cybercriminals don’t discriminate based on the size or nature of a business. Whether you’re a global retailer, a small nonprofit, or a government agency, you’re a target. Criminals seek out cardholder data and PII because of its high resale value and utility in fraud.

The most common type of data stolen in 2024 was customer PII (48%), but employee PII, such as tax IDs and home addresses, is even more lucrative for criminals. If your business collects or processes data, it’s essential to assume it has value to attackers and take appropriate precautions.

The Rise of Magecart Attacks

A specific type of digital skimming attack, Magecart, has become synonymous with skimming payment pages. Named after the Magento e-commerce platform and shopping carts, Magecart attacks involve injecting malicious JavaScript to steal card data inputted during transactions.

Magecart attacks can take two forms:

1. First-Party Attacks: Criminals directly compromise the victim’s website by injecting a skimming code into the payment page. For example, the 2023 breach of DNA testing company 23andMe exposed nearly 7 million user records.
2. Third-Party Attacks: Malicious code is injected through a third-party provider, also known as a supply chain attack. This is particularly concerning as modern websites rely on multiple third-party scripts to function, each of which can serve as an entry point for attackers.

How to Protect Against Digital Skimming

To safeguard your business from digital skimming, start by implementing these key measures:

1. Prevent Unauthorized Access: Use strong passwords, enforce unique logins, and ensure firewalls, encryption, and anti-virus tools are in place.
2. Regular Security Assessments: Conduct routine monitoring, third-party due diligence, and security audits to identify vulnerabilities.
3. Secure Code Practices: Follow secure coding standards and maintain compliance with security frameworks like PCI DSS.

New PCI DSS v4.0 Requirements

Recognizing the growing threat of digital skimming, the PCI Security Standards Council introduced two new requirements in PCI DSS v4.0, effective April 2025:

1. Requirement 6.4.3: Manage all JavaScript present on payment pages to minimize attack surfaces.
2. Requirement 11.6.1: Detect and alert on any tampering or unauthorized changes to payment pages.

Conclusion

Digital skimming is a rapidly growing threat, but businesses can protect themselves and their customers with the right tools and precautions. By staying informed, implementing strong security practices, and leveraging technologies, you can build a robust defense against this modern-day scourge.